MFA Deployment Tips

RedShield is now rolling out Multi-Factor Authentication (MFA) ie adding ‘something you have’ or ‘something you are’ to ‘something you know’ when you log-in. Usually this involves an SMS or email code to your phone (something you have) which you input as secondary validation. 

When we deploy MFA’s there are a few things we come across and aim to clarify in discovery - so it helps to have these in mind as you design your MFA service with us:

1. Email vs SMS. A code style MFA can send codes to either email or a mobile. If there is any uncertainty about a mobile number being available (or correct in the application), then it is advisable to use email. 
   
   
2. SMS costs: How many users do you have? How many log-ins are going to happen? If it’s a lot and you don’t already have an SMS service, you might need to consider the cost and provision of these SMS services, or alternately select email as the code notification option.
   
   
3. Timeout Functions: If the site or web application also has a time out (ie kicking a user off after a period of inactivity), then this will obviously increase the number of logins and potential SMS messages. Providing us any existing policy around access helps us in configuring this to work for you.
   
   
4. Email as User Name: If your log-in is setup for email as username this helps us greatly, and is a prerequisite for ‘No-code MFA’. 
   
   
5. Records: the authentication process will check a record, eg is there a phone number for the user? Has this record been established? Has a change or onboarding process been established to ensure records are available? If not what is the bypass policy? Is there a grace period? Good things to establish in design.
   
   
6. Bypass List: Do you need a bypass or whitelist? A bypass list can be included in the MFA integration if specific log-in ids need to avoid MFA. Bring this into scope in design or discovery or you can cut it from scope to save deployment time.
   
   
7. Responses: Do you want a custom response page? What are the key messages? Is there a response page for the grace period or bypass? What does the user need to do after the response page presents?